Skip to content
Blame Permalink
  • Lukas Braun's avatar
    1d65c1bc
    Check Origin header before accept/edit/delete · 1d65c1bc
    Lukas Braun authored 
    For some protection against CSRF attacks, check if the Origin header is
the weburl we are listening on before handling POSTs to
moderation/{edit,accept}/<doc>.
If the request does not contain an Origin header (which should never be
the case for POST requests in modern browsers), a warning is printed and
the request handled anyway.

It is probably a good idea to implement some CSRF token mechanism to
authenticate requests as well, I'm not sure how robust this Origin
checking stuff really is.
    1d65c1bc
    Check Origin header before accept/edit/delete
    Lukas Braun authored 
    For some protection against CSRF attacks, check if the Origin header is
the weburl we are listening on before handling POSTs to
moderation/{edit,accept}/<doc>.
If the request does not contain an Origin header (which should never be
the case for POST requests in modern browsers), a warning is printed and
the request handled anyway.

It is probably a good idea to implement some CSRF token mechanism to
authenticate requests as well, I'm not sure how robust this Origin
checking stuff really is.